Supabase Developer Update May 2026: More Secure APIs, Custom Auth Providers, and Better Developer Tooling

Custom OAuth and OIDC Providers for Supabase Auth

One of the biggest updates is support for custom OAuth2 and OpenID Connect providers in Supabase Auth.

This means developers can connect Supabase projects to almost any standards-compliant identity provider, including GitHub Enterprise, regional identity providers, and internal company authentication systems. Supabase also notes that PKCE is enabled by default, which helps improve authentication security.

This is especially useful for SaaS apps, internal business tools, and enterprise systems that need to work with custom identity providers instead of only the usual login options.

New Public Tables Are No Longer Automatically Exposed

Another important update is a change to how new tables in the public schema are exposed through the Data API.

Starting April 28, 2026, new Supabase projects can opt out of automatic Data API exposure for public schema tables. Supabase says this new behavior becomes the default for all new projects on May 30, 2026, and will be applied to existing projects on October 30, 2026.

Previously, new tables in the public schema could become reachable through the Data API automatically. With the new behavior, developers need to explicitly add Postgres GRANT statements before those tables can be accessed through PostgREST or GraphQL.

This is a strong security improvement because it makes API access more intentional. Instead of exposing tables by default, developers now decide exactly which roles should have access.

Example:

grant select on public.your_table to anon;
grant select, insert, update, delete on public.your_table to authenticated;

alter table public.your_table enable row level security;

This change is especially important for developers using supabase-js, the REST API, GraphQL, migrations, CLI scripts, or AI coding tools that create database tables automatically.

Supabase Is Now ISO 27001 Certified

Supabase also announced that it is now ISO/IEC 27001:2022 certified. This certification covers Supabase’s information security management system across the platform.

For teams building production apps, this is a meaningful milestone. It gives companies more confidence when using Supabase for applications that require stronger security practices, vendor reviews, or compliance checks.

Stripe Sync Engine Moves to Stripe

The Stripe Sync Engine, originally built by Supabase, has now moved to the Stripe GitHub organization. Supabase says it remains open source and will be maintained by Stripe going forward.

This is a good move for the ecosystem because the project is directly related to syncing Stripe data. With Stripe maintaining it, developers can expect better alignment with Stripe’s platform.

Introducing @supabase/server

Supabase also introduced @supabase/server, a new SDK designed to simplify server-side Supabase development.

According to Supabase, it handles authentication, client creation, CORS, and context injection across multiple runtimes, including Edge Functions, Vercel Functions, Deno, Bun, and Cloudflare Workers.

This is useful for developers who deploy across different environments and want a more consistent way to set up Supabase on the server side.

More Product Updates

Supabase also shared several smaller but useful updates.

The Supabase app in the Stripe Marketplace is now generally available. Branching without Git is now the default, meaning developers can create branches directly from the dashboard without needing a GitHub integration. Supabase also revamped Data API settings with per-table and per-function toggles for controlling what gets exposed to PostgREST and GraphQL.

The Supabase changelog also received improvements, including RSS feeds, tag filtering, a Markdown feed, and options to copy entries or ask AI tools about them. Terraform Provider v1.9.0 also added support for Edge Functions resources, Edge Function secrets resources, and a network bans data source.

Community Growth

The May 2026 update also highlights Supabase’s continued growth. Supabase shared that its GitHub repository reached 100,000 stars and that the platform now has 8 million developers.

That growth shows how popular Supabase has become for developers who want a fast way to build apps with Postgres, authentication, storage, APIs, edge functions, and realtime features.

Final Thoughts

The Supabase Developer Update for May 2026 shows a platform that is becoming more secure, flexible, and production-ready.

Custom OAuth/OIDC support gives developers more authentication options. The new Data API behavior improves security by requiring explicit access grants. ISO 27001 certification strengthens trust for business and enterprise use cases. And tools like @supabase/server, improved Data API settings, and Terraform updates make the developer experience better.

Overall, this release is a strong step forward for teams using Supabase to build serious applications.

References

1. Supabase Developer Update - May 2026

2. Custom OAuth/OIDC Providers for Supabase Auth

3. Breaking Change: Tables not exposed to Data and GraphQL API automatically

4. Supabase is now ISO 27001 certified

5. Stripe Sync Engine transfer to Stripe

6. Securing your API - Supabase Docs